apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: image-tasks
  namespace: {{ $.Release.Namespace }}
spec:
  description: >-
    This task builds images if source is provided
  workspaces:
    - name: k8s_cluster_data
    - name: development_pipeline_data
  steps:
    - name: clone
      image: {{ $.Values.tasks.image.buildImage }}
      volumeMounts:
        - mountPath: /certs/client
          name: dind-certs
        - mountPath: /usr/local/share/ca-certificates/harbor-ca.crt
          name: harbor-ca
          subPath: harbor-ca
      script: |
        /jarvis/git_clone_image_repo.sh

    - name: set-image-output
      image: {{ $.Values.tasks.image.buildImage }}
      script: |
        #!/usr/bin/env sh
        cat "$(workspaces.development_pipeline_data.path)/image.json"

    - name: docker-build
      image: {{ $.Values.tasks.image.buildImage }}
      volumeMounts:
        - mountPath: /certs/client
          name: dind-certs
      env:
      # Connect to the sidecar over TCP, with TLS.
      - name: DOCKER_HOST
        value: tcp://localhost:2376
      # Verify TLS.
      - name: DOCKER_TLS_VERIFY
        value: '1'
      # Use the certs generated by the sidecar daemon.
      - name: DOCKER_CERT_PATH
        value: /certs/client

      script: |
        update-ca-certificates
        /jarvis/build_docker_image.sh

    - name: set-image-build-output-after-build
      image: {{ $.Values.tasks.image.buildImage }}
      script: |
        #!/usr/bin/env sh
        cat "$(workspaces.development_pipeline_data.path)/image.json"

    - name: publish-and-scan-image
      image: {{ $.Values.tasks.image.buildImage }}
      volumeMounts:
        - mountPath: /certs/client
          name: dind-certs
        - mountPath: /tekton/home/.docker/config.json
          name: image-push-creds
          subPath: .dockerconfigjson
      env:
      # Connect to the sidecar over TCP, with TLS.
      - name: DOCKER_HOST
        value: tcp://localhost:2376
      # Verify TLS.
      - name: DOCKER_TLS_VERIFY
        value: '1'
      # Use the certs generated by the sidecar daemon.
      - name: DOCKER_CERT_PATH
        value: /certs/client
      script: |
        /jarvis/push_docker_image.sh

    - name: set-image-output-after-publish-scan
      image: {{ $.Values.tasks.image.buildImage }}
      script: |
        #!/usr/bin/env sh
        cat "$(workspaces.development_pipeline_data.path)/image.json"

    - name: get-scan-results
      image: {{ $.Values.tasks.image.buildImage }}
      volumeMounts:
        - mountPath: /certs/client
          name: dind-certs
      script: |
        /jarvis/get_image_scan_results.sh
    - name: set-image-output-set-scan-results
      image: {{ $.Values.tasks.image.buildImage }}
      script: |
        #!/usr/bin/env sh
        cat "$(workspaces.development_pipeline_data.path)/image.json"
  sidecars:
    - image: {{ $.Values.tasks.image.sidecarServer }}
      name: server
      script: |
        # Alpine's update-ca-certificates does not support directories, so copy files
        # Copy files instead of mounting to prevent overriding built-in certificates
        if ls /internal-certs/*.crt ; then
          cp /internal-certs/*.crt /usr/local/share/ca-certificates/
        fi

        update-ca-certificates

        /usr/local/bin/dockerd-entrypoint.sh \
          --storage-driver=overlay2 \
          --userland-proxy=false \
          --debug \
          --insecure-registry={{ $.Values.tasks.image.insecureRegistry }}
      ##TODO: Get rid of privileged true
      securityContext:
        privileged: true
      env:
      # Write generated certs to the path shared with the client.
      - name: DOCKER_TLS_CERTDIR
        value: /certs
      - name: http_proxy
        value: {{ $.Values.proxy.http_proxy }}
      - name: https_proxy
        value: {{ $.Values.proxy.https_proxy }}
      - name: no_proxy
        value: {{ $.Values.proxy.no_proxy }}
      - name: HTTP_PROXY
        value: {{ $.Values.proxy.http_proxy }}
      - name: HTTPS_PROXY
        value: {{ $.Values.proxy.https_proxy }}
      - name: NO_PROXY
        value: {{ $.Values.proxy.no_proxy }}
      volumeMounts:
        - mountPath: /certs/client
          name: dind-certs
        - mountPath: /var/lib/docker
          name: var-lib-docker
        - mountPath: /usr/local/share/ca-certificates/harbor-ca.crt
          name: harbor-ca
          subPath: harbor-ca
{{ if .Values.proxy.internal_certs_dir }}
        - mountPath: /internal-certs
          name: internal-certs
{{ end }}
      # Wait for the dind daemon to generate the certs it will share with the
      # client.
      readinessProbe:
        periodSeconds: 1
        exec:
          command: ['ls', '/certs/client/ca.pem']
  volumes:
    - name: dind-certs
      emptyDir: {}
    - name: var-lib-docker
      emptyDir: {}
    - name: image-push-creds
      secret:
        secretName: harbor-docker-auth
    - name: helm-publish-creds
      secret:
        secretName: harbor-basic-auth
    - name: harbor-ca
      secret:
        secretName: harbor-ca
{{ if .Values.proxy.internal_certs_dir }}
    - name: internal-certs
      hostPath:
        path: {{ .Values.proxy.internal_certs_dir }}
        type: Directory
{{ end }}